Managing Certificates with a CRL

Use the Manage CA Certificate page in AMC to configure certificate revocation checking for individual certificates, and determine the connection types the certificate is used to secure.

To verify the validity of a client certificate and configure certificate revocation

1. In the AMC, navigate to System Configuration > SSL Settings.

2. Under CA Certificates, click Edit on the NNN certificates line.

   All of the installed certificates are displayed.

   

3. To see details about a certificate, click the right arrow ( ) in the second column. To edit a certificate, click its link. For example:

   1. Click the right arrow ( ) next to a GlobalSign certificate to see its details.

      

   2. Click the link to edit it.

      The Manage CA Certificate page displays.

      

4. In the Used for area, specify the connection types this certificate is used to secure.

   • Authentication server connections (LDAPS)—See Configuring a PKI Authentication Server.

   • Web server connections (HTTPS)-See CA Certificates.

   • Device profiling (End Point Control)-See the Device Profile Attributes: client certificate table in Device Profile Attributes.

   • OCSP response verification - Verifies a response from a configured OCSP responder.

   • SAML message verification- Verifies a SAML message.

5. To specify CRL settings, check the Use Certificate revocation list in the Certificate revocation checking area.

   The format for the CRL must be DER-based (.crl); the appliance cannot use a CRL that's been created in PEM format.

   

6. The appliance retrieves lists of revoked certificates from a CRL distribution point (CDP). Specify the location of this CDP:

   • The CDP is usually specified in the certificate itself. By default, the appliance uses the CDP from the client certificate.

   • Alternatively you can specify a URL for it. Check the Use this certificate distribution point (CDP) checkbox. If a login is required for it, type the credentials.

7. If Use this certificate distribution point (CDP) is selected, you can specify how often the CRL should be retrieved using the Download CRL every <n> hours option. If you don’t specify a download interval, a new CRL is retrieved when the old one expires. (CRLs are updated frequently so that when a certificate is revoked, that information is distributed in a timely manner).
8. The appliance checks client certificates against this list. To perform CRL checking for the entire chain of certificates, starting with the CA root certificate, select the Validate the entire chain checkbox.
9. Specify whether users should be allowed or denied access if the CDP is inaccessible by selecting Allow user access or Block user access. The remote CDP you specified might be offline, or it may not be indicated on the certificate. (It is an optional item for the X.509 standard, not a mandatory one.)

10. Click Save.